[Dovecot] What are they trying to do here?

Timo Sirainen tss at iki.fi
Mon Jun 4 03:34:13 EEST 2007


On Wed, 2007-05-30 at 09:10 -0600, Jon Slater wrote:
> I’ve been using Dovecot (dovecot-0.99.14-8.fc4) on my Fedora Core 4 (kernel
> 2.6.17-1.2142_FC4) machine from quite some time.

Note that 0.99 is several years old already and it's not really
supported anymore.

> So it looks pretty obvious that someone (using root and an assortment
> of
> other login names) is trying to access by dovecot server.
>  
> My first ‘issue’ is I can’t find a log file anywhere that tells me the IP
> address of the attacker.  I see a series of ‘authentication failure’
> messages in my /log/messages file:
> 
>  
> 
> May 29 21:23:35 mydomainname dovecot(pam_unix)[15317]: authentication
> failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root

You're using PAM. Unfortunately it doesn't really give any better
messages. You could find out the IP by finding "Aborted login" messages
from Dovecot near the same timestamp. They're most likely
in /var/log/maillog or something similar.

You could also set auth_verbose=yes in dovecot.conf. After that Dovecot
will also log the authentication failures (at least v1.0 does, I don't
remember if v0.99 had that setting) so it's easier to find the IP.

> Secondly, I’m wondering if I have anything to be concerned about.

Probably just some random attacks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070604/9e6a2a43/attachment.bin 


More information about the dovecot mailing list